T1558.002 Silver Ticket Mappings

Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)

Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)

Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1558.002 Silver Ticket
AC-17 Remote Access Protects T1558.002 Silver Ticket
AC-18 Wireless Access Protects T1558.002 Silver Ticket
AC-19 Access Control for Mobile Devices Protects T1558.002 Silver Ticket
AC-2 Account Management Protects T1558.002 Silver Ticket
AC-3 Access Enforcement Protects T1558.002 Silver Ticket
AC-5 Separation of Duties Protects T1558.002 Silver Ticket
AC-6 Least Privilege Protects T1558.002 Silver Ticket
CA-7 Continuous Monitoring Protects T1558.002 Silver Ticket
CM-2 Baseline Configuration Protects T1558.002 Silver Ticket
CM-5 Access Restrictions for Change Protects T1558.002 Silver Ticket
CM-6 Configuration Settings Protects T1558.002 Silver Ticket
IA-2 Identification and Authentication (organizational Users) Protects T1558.002 Silver Ticket
IA-5 Authenticator Management Protects T1558.002 Silver Ticket
SC-4 Information in Shared System Resources Protects T1558.002 Silver Ticket
SI-12 Information Management and Retention Protects T1558.002 Silver Ticket
SI-3 Malicious Code Protection Protects T1558.002 Silver Ticket
SI-4 System Monitoring Protects T1558.002 Silver Ticket
SI-7 Software, Firmware, and Information Integrity Protects T1558.002 Silver Ticket
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket